none
Netsh trace session cannot be killed RRS feed

  • Question

  • Hello,

    I have a trace session running, generating high IOPS on C drive on three 2012 R2 servers. It was set by command:

    netsh trace start capture=yes report=yes scenario=netconnection persistent=yes maxsize=1024 tracefile=c:\support\mslogs\%computername%.etl

    and attached to Event to generate log on server failure. When event occurred, command ran.

    Since then, there was a number of server reboots, but because of persistent=yes parameter it was still running. We now do not need that trace running.


    So we deleted task from Scheduled tasks, but trace still is running and cannot be stopped. I tried netsh trace stop, but it says that there is no trace session running - but we see that there is active session, when we delete .etl file it is recreated immediately. 

    Does anyone have any idea how to kill this trace session, if it is not visible in netsh?

    Any advise appreciated.

    Thank you

    Saturday, September 21, 2019 9:14 PM

Answers

  • Might take a look here for something related.

     

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by PokerFace_350 Sunday, September 22, 2019 11:45 AM
    Saturday, September 21, 2019 9:51 PM
  • Thank you Dave! Thank you Gary!

    That was it, I managed to find the trace session name using the command 'logman query -ets' provided by Gary, however could not stop/delete trace using sessionname parameter

    C:\Windows\system32>netsh trace stop sessionname=NetTrace-xxxxxxxx-xxxxxxx

    The parameter is incorrect.

    logman stop NetTrace-xxxxxxxx-xxxxxxx also did not work:

    C:\Windows\system32>logman stop NetTrace-xxxxxxxx-xxxxxxx

    Error:
    Data Collector Set was not found.

    But, I found entries in Computer Management -> Performance -> Data Collector Sets -> Event Trace Sessions and Startup Event Trace Sessions and deleted both and it stopped trace, deleted output file and registry entries from:

    HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger

    Thank you both once again.

    Problem solved.

    • Marked as answer by PokerFace_350 Sunday, September 22, 2019 11:59 AM
    Sunday, September 22, 2019 11:59 AM

All replies

  • Might take a look here for something related.

     

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by PokerFace_350 Sunday, September 22, 2019 11:45 AM
    Saturday, September 21, 2019 9:51 PM
  • Hello PokerFace_350,

    The command "logman query -ets" will show all running trace sessions. Here is what the output looks like on my PC:

    Data Collector Set                      Type                          Status
    -------------------------------------------------------------------------------
    Circular Kernel Context Logger          Trace                         Running
    AppModel                                Trace                         Running
    ScreenOnPowerStudyTraceSession          Trace                         Running
    DiagLog                                 Trace                         Running
    DiagnosticLogCSP_DeviceProvisioning     Trace                         Running
    EventLog-Application                    Trace                         Running
    EventLog-System                         Trace                         Running
    LwtNetLog                               Trace                         Running
    Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace Trace                         Running
    NetCore                                 Trace                         Running
    NtfsLog                                 Trace                         Running
    RadioMgr                                Trace                         Running
    UBPM                                    Trace                         Running
    WdiContextLog                           Trace                         Running
    WiFiDriverIHVSession                    Trace                         Running
    WiFiSession                             Trace                         Running
    -NetTrace-GARY-Gary                     Trace                         Running
    UserNotPresentTraceSession              Trace                         Running
    Muroc System Trace                      Trace                         Running
    8696EAC4-1288-4288-A4EE-49EE431B0AD9    Trace                         Running
    MpWppTracing-20190917-094526-00000003-ffffffff Trace                         Running
    Diagtrack-Listener                      Trace                         Running
    SHS-09102019-233157-7-3f                Trace                         Running

    I have highlighted in bold text the "netsh trace" session. Its name is of the format <sessionname>-NetTrace-<computername>-<username>. If the "sessionname=" argument to "netsh trace start" is not present, it defaults to an empty string.

    If a sessionname was used to create the trace session then that name also needs to be used in the "netsh trace stop" command.

    If the persistent=yes option is used, an entry is created under HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger so that the session will be restarted after a reboot. The entry will also be named <sessionname>-NetTrace-<computername>-<username>.

    If the problem is just a missing sessionname= option then "netsh trace stop sessionname=<whatever>" is the best option.

    One can try to stop the trace by using individual commands.

    logman stop XXX-NetTrace-GARY-Gary should stop the live/current trace. If no sessionname (e.g. XXX) was used then you might need to use a different tool - I have not been able to persuade logman that the leading "-" of an unnamed netsh trace session is part of the session name and not an argument name.

    Deleting the entry from HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger or setting the Start value to zero in the registry key will prevent the trace session from restarting.

    The capture=yes means that "netsh trace" will have modified network bindings and some registry values that record reference counts (e.g. HKLM\SYSTEM\CurrentControlSet\Services\NdisCap\Parameters\RefCount). I think that after a while, these things will "self heal" (for example, after something like a reboot when the NdisCap driver is no longer loaded, a "netsh trace start" finding a positive reference count and no loaded driver will reset the reference count). In any event, this is not a major problem - you probably won't even notice it.

    Gary

    Sunday, September 22, 2019 7:56 AM
  • Thank you Dave! Thank you Gary!

    That was it, I managed to find the trace session name using the command 'logman query -ets' provided by Gary, however could not stop/delete trace using sessionname parameter

    C:\Windows\system32>netsh trace stop sessionname=NetTrace-xxxxxxxx-xxxxxxx

    The parameter is incorrect.

    logman stop NetTrace-xxxxxxxx-xxxxxxx also did not work:

    C:\Windows\system32>logman stop NetTrace-xxxxxxxx-xxxxxxx

    Error:
    Data Collector Set was not found.

    But, I found entries in Computer Management -> Performance -> Data Collector Sets -> Event Trace Sessions and Startup Event Trace Sessions and deleted both and it stopped trace, deleted output file and registry entries from:

    HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger

    Thank you both once again.

    Problem solved.

    • Marked as answer by PokerFace_350 Sunday, September 22, 2019 11:59 AM
    Sunday, September 22, 2019 11:59 AM
  • Glad to hear, you're welcome.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Sunday, September 22, 2019 12:19 PM